CCPA and CPRA: What They Mean for Website Analytics
How California's privacy laws treat analytics data, who has to comply, what opt-out really requires, and the simplest way to stay out of scope.
Last reviewed July 2026
California's CCPA, expanded by the CPRA, takes a different angle than the GDPR: instead of asking permission first, it gives consumers rights over data after collection, headlined by the right to opt out of the sale or sharing of personal information. Analytics sits squarely in the definitions, so it is worth understanding where your setup lands.
This guide covers the parts that matter for website measurement. It is general information, not legal advice.
Who has to comply
The CCPA applies to for-profit businesses that do business in California and meet at least one threshold: roughly 25 million dollars in annual gross revenue, or buying, selling, or sharing the personal information of 100,000 or more California consumers or households, or deriving half of revenue from selling or sharing personal information.
Small sites often fall outside the thresholds. But the visitor-count threshold is easier to cross than it sounds: a modest content site with US traffic can pass 100,000 California visitors in a year, and each one's cookie ID or IP address counts as personal information.
How analytics data fits the definitions
Personal information under the CCPA includes identifiers such as cookie IDs, device IDs, and IP addresses, along with internet activity like browsing and search history when it is reasonably linkable to a consumer or household. A classic analytics cookie that assigns a persistent unique ID and records the pages that person viewed checks both boxes.
The CPRA's addition of "sharing" matters most for measurement stacks. Sharing means disclosing personal information for cross-context behavioral advertising, whether or not money changes hands. Analytics that feeds an ad platform's audience building, the way ad-linked configurations of mainstream tools do, is the textbook case. That triggers the "Do Not Sell or Share My Personal Information" link, opt-out handling, and honoring the Global Privacy Control browser signal.
A vendor that only processes data on your behalf under a service-provider contract is the safer configuration: that disclosure is generally neither a sale nor sharing. The obligations that remain are disclosure in your privacy policy and handling consumer requests to know, delete, and correct.
The simplest position: keep no personal information
Every CCPA obligation attaches to personal information. Analytics that stores no cookies, keeps no raw IP addresses, and holds no identifier linkable to a person or household gives the law nothing to attach to. There is no sale, nothing to share, nothing to return for a request to know, and nothing for GPC to switch off.
That is the cookieless model, and it is how Analyse measures traffic, sources, and conversion funnels for every visitor. It also happens to satisfy the stricter European rules at the same time, so one setup covers both regimes; the GDPR guide covers that side.
A practical checklist
- Check the thresholds against your revenue and your California traffic. Remember that identifiers count as personal information even without names.
- Map where analytics data flows. Any connection into an ad platform's audience tooling likely counts as sharing and needs the opt-out machinery.
- If you stay with identifier-based analytics, put the vendor under a service-provider agreement, add the required links to your privacy policy, and honor GPC signals.
- If your questions are traffic, sources, and funnels, consider removing personal information from the equation entirely with a cookieless tool. The GA4 alternatives roundup compares the options.
- Watch the map. Colorado, Virginia, Connecticut, and a growing list of states have followed with similar laws, and the no-personal-data position holds up across all of them.
Frequently asked questions
Does the CCPA require a cookie banner?
No. California uses an opt-out model, not Europe's opt-in. You do not need permission before collecting, but covered businesses must offer a clear way to opt out of the sale or sharing of personal information and honor Global Privacy Control signals.
Is analytics data personal information under the CCPA?
Often yes. The definition covers identifiers like cookie IDs, IP addresses, and device identifiers, plus browsing history that is linkable to a consumer or household. Analytics that keeps none of those falls outside it.
Does sharing data with an analytics vendor count as a sale?
It can. The CPRA added "sharing" specifically to cover passing data for cross-context behavioral advertising, which caught common ad-connected analytics setups. A vendor under a service-provider agreement that only processes data on your behalf generally does not count.
My company is outside the US. Can the CCPA still apply?
Yes, if you do business in California and cross the thresholds, such as more than 25 million dollars in annual revenue or data on more than 100,000 California consumers or households. Location of the company is not the test.
Analytics without the banner
Analyse measures every visitor, funnel, and traffic source without cookies, so there is nothing for a consent banner to ask about. Try every feature free for 3 days.
Start free